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ABSTRACT 



A system and method of reducing control message signaling 
load in a radio telecommunications network. When an 
authentication request is issued by the mobile switching 
center (MSC), the home network performs authentication of 
the visiting subscriber. When authentication fails the home 
network determines if a threshold value is reached. If so, a 
suitable authentication code portion is included in the return 
message so that local authentication of the visiting sub- 
scriber may be performed. The MSC is able to locally 
authenticate a visiting subscriber trying to access the net- 
work thereby suppressing the transmission of additional 
authentication requests and failure reports to the home 
network. For failed authentications, the VLR transmits 
authentication failure reports to the home network. If a 
threshold value is reached the MSC locally authenticates the 
mobile subscriber's subsequent attempts so that the VLR is 
precluded from sending additional authentication failure 
reports to the home network. 

14 Claims, 7 Drawing Sheets 
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SYSTEM AND METHOD FOR REDUCING or the SSD of the accessing mobile station. In some 

NETWORK SIGNALING LOAD IN A RADIO instances, on the other hand, the serving MSC may have a 

TELECOMMUNICATIONS NETWORK VLR record where the SSD is already shared. Under such 

circumstances, the serving system typically sends an 
BACKGROUND OF THE INVENTION 5 Authentication Failure Report message to the AC to report 

1. Technical Field of the Invention anv failed accesses encountered pursuant to its authentica- 

This invention relates to telecommunication systems and, tion and/or validation procedures . Accordingly, it should be 
more particularly, to a system and method for reducing the appreciated that m either scenario (that is, where the SSD is 
network signaling load in a radio telecommunications net- not shared and Authentication Request messages are rapidly 
work after a mobile subscriber has failed authentication 10 sent > or where the SSD is already shared and Authentication 
pursuant to accessing a network while roaming in a visited Failure Re P ort messages are rapidly sent), the HLR/AC 

and/or the MSC may become overloaded because of the 



service area. 



2 Description of Related Art rapid transmissiotl of repeated messages and may enter a 

' . . . . failed state which could allow access to the fraudulent user. 

Continuous improvement in subscriber services has been ie , , . , , , , „ „ 

a much sought-after goal in the radio telecommunications 15 ™ P roblem rellUn S to the S lo , bal challen S e 
industry since its beginnings. Generally, providing improved authentication system exists in conventional implementa- 
subscriber services is predicated upon efficient utilization of l 10 " 5 -, When a "f"""* s «tf crib " ^ authentication upon 
network resources associated with a radio telecommunica- >° ^ network and yet continues to attempt to 
tions network. One of the key aspects in this regard is the 7n P e »° dlca Uy therewith or to send system accesses 
availability of resources, for example, the bandwidth of 20 '^reto unnecessary and undesirable signaling load is 
communication links comprising the network, for legitimate d b J message ^ between a home net- 
users or subscribers. Another related aspect is the reduction ^, ork 1 ind » t VHS,,ed f etwork . dll f l ° the P? 1 ^ atton P*- 
or minimization of unwanted network traffic attributable to su u ch neU ™ rk load negatively impacts the 
fraudulent users or to subscribers who fail certain security „ available »t the communication Imk therebe- 

twe e n 

measures associated with the network. 

In order to reduce fraud in radio telecommunications , Moreover, as can be easily re ahzed, undesirable signaling 

networks, existing networks include an authentication center load ma y also be encounter^ when a VLR record pertaining 

(AC) which is normally co-located with a home location to a previously authenUcated mobile station is "hijacked" by 

register (HLR). The AC is utilized to perform a verification 30 a fraudulent user who uses a "clone" mobile station to gain 

of the identity of a mobile station each time the mobile acccss to ±c network but re P ea ^dly fails authentication by 

station accesses the network. Each subscriber has an authen- the MSCNVLR which already has the SSD. The 

tication key (A-key) stored in the AC and in the mobile repeated Authentication Failure Report messages transmit- 

station. For security reasons, the A-key is typically never { ? d from the VLR to the HLR/AC because of the repeated 

sent out in it's unencrypted (or "plaintext") form to other 35 faded attem P ts at access > therefore > also negatively impact 

nodes in the network. Instead, the AC constructs what is the available network ba ^dth. 

known as Shared Secret Data (SSD). SSD is authentication Accordingly, based upon the foregoing discussion, it 

data which may be shared between the AC, the HLR, the shcmld be readily appreciated that in order to overcome the 

mobile station, and the mobile switching center (MSC) deficiencies, shortcomings and problems set forth above, it 

serving the mobile station. The SSD is normally calculated 40 would be advantageous to have a method and system for 

utilizing a random number, the subscriber's A-key, and other reducing unnecessary and/or undesirable network signaling 

factors such as the mobile identification number (MIN) and load that is generated when a failed user, fraudulent or 

electronic serial number (ESN) of the subscriber's mobile otherwise, repeatedly attempts to access the network. The 

station. Typically, the SSD may be sent from the AC to any present invention provides such a method and system. 
MSC where the subscriber roams. 4 c 

Each time a mobile station accesses the radio telecom- SUMMARY OF THE INVENTION 
munications network, the access is challenged by the net- In one aspect, the present invention is directed to a radio 
work which determines whether the information stored in telecommunications network system which includes a home 
the mobile station matches the information stored in the network for controlling cellular communication of a sub- 
network's authentication center (AC). An example of such 50 scriber over a home service area, the home network inctud- 
an authentication technique is _what is known as a "global ing a Home Location Register (HLR) and an authentication 
tphallenre" (GO on th e common signaling channel ( for center (AC). A visited network of the radio telecommuni- 
example, a random access channel or a pilot channel) and cations network system is included for controlling cellular 
utilizes the SSD, typically for an authentication and a voice transmission over a visited service area. The visited network 
privacy function. 55 (or the serving system) comprises a serving mobile switch- 
One of the problems in conventional global challenge ing center (MSC) and an associated Visitor Location Reg- 
authentication systems is that a fraudulent user may gain ister (VLR). There are means in the network for sending a 
access to the network by rapidly sending (that is, return message from the home network to the MSC upon 
"hammering") a large number of registration requests, sys- determining, in the HLR/AC, that a threshold value associ- 
tem accesses or both, which, hereinafter may be referred to 60 ated with one or more network access attempts by the 
as "accesses" collectively. These accesses may include, for subscriber is reached or exceeded, when it is located in the 
example, autonomous registration, power down registration, visited service area as a roaming subscriber and repeatedly 
call origination, page response, or Short Message Service attempts to access the radio telecommunications network 
(SMS) page response, and the like. The serving MSC system. The return message includes an authentication code 
typically sends an Authentication Request message to the 65 portion. In addition, there are means in the serving MSC for 
AC corresponding to each of these registration/system locally authenticating the roaming subscriber based upon the 
accesses if it does not have a Visitor Location Record (VLR) authentication code portion received from the home 
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network, when the roaming subscriber attempts to re- access 
the radio telecommunications network system after it is 
initially denied access by the AC in the home network. 

In another aspect, the present invention is directed to a 
method of reducing control message signaling load in a 
radio telecommunications network system. The network 
system is preferably of the type which includes a home 
network, comprising an HLR and an associated AC, and a 
visited network comprising a serving MSC and an associ- 
ated VLR. When a visiting subscriber roams into a visited 
service area serviced by the visited network and periodically 
attempts to access the network, the method of the present 
invention forwards one or more corresponding authentica- 
tion requests from the. visited network to the home network. 
Upon detecting authentication failure, the home network 
determines if a threshold value associated with the periodic 
attempts to the network is triggered. Responsive to the 
determination step in the home network, a return message is 
sent from the home network to the serving MSC which 
includes an authentication code_portion r eq uired _for!authen - 
ticating the visiting subscriber. Upon receiving the return 
message^ Jhe MSC performs local authentication of the 
visiting subscriber if it attempts to re -access the radio 
telecommunications network and suppresses the forwarding 
of corresponding additional authentication requests to the 
home network. 

In a yet further aspect, the present invention relates to a 
method of authenticating a mobile station requesting access 
to a radio telecommunications network which includes a 
serving MSC serving the mobile station, a VLR associated 
with the serving MSC, an HLR which stores subscriber 
information and location information relating to the mobile 
station, and an AC associated with the HLR. The AC and the 
HLR preferably form a home network for the mobile station. 
After receiving one or more access attempts from the mobile 
station in the serving MSC, corresponding authentication 
requests are sent from the serving MSC to the AC via the 
VLR and the HLR. The home network determines, upon 
detecting that mobile station failed authentication after one 
or more attempts to access the network, if a threshold value 
associated with the access attempts is exceeded or reached. 
If so, a return message is sent from the home network to the 
serving MSC with an instruction to deny the mobile station 
access to the network. The return message preferably 
includes shared data for authenticating the mobile station. 
Whenever subsequent network access attempts are received 
from the mobile station, the serving MSC determines 
whether the mobile station passes local authentication. Also, 
instructions are suppressed in the serving MSC to send 
authentication failure reports to the AC if the mobile station 
fails subsequent local authentication. A subsequent authen- 
tication request is sent from the serving MSC to the AC once 
the mobile station passes validation pursuant to a subsequent 
local authentication. In response, the AC in the home 
network then authenticates the mobile station. 

In a still further aspect, the present invention is directed 
to a method of authenticating a mobile station requesting 
access to a radio telecommunications network when a vis- 
ited network already has a shared authentication code for the 
mobile station. The visited network preferably includes a 
serving or visited MSC serving the mobile station and a 
VLR associated with the serving MSC. A home network 
comprises an HLR which stores subscriber information and 
location information relating to the mobile station, and an 
AC associated with the HLR. When the serving MSC 
receives one or more attempts to access the radio telecom- 
munications network by the mobile station, it verifies the 
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mobile station's attempts by issuing one or more locally 
requested validation/authentication procedures, correspond- 
ing to the mobile station's attempts. In one exemplary 
embodiment, the local validation/authentication procedure 

5 comprises issuing a unique challenge order to the mobile 
station. When the VLR determines that the mobile station 
failed authentication, it sends one or more authentication 
failure reports to the AC, each corresponding to an authen- 
tication failure by the mobile station. If the home network 

10 subsequently determines that the authentication failure 
reports have exceeded a threshold value associated 
therewith, it sends a return message to the serving MSC with 
an instruction to locally authenticate the mobile station for 
subsequent accesses to the network. Also, the VLR is 

15 instructed to stop sending authentication failure reports to 
the AC if the mobile station fails local authentication for its 
subsequent accesses to the network. 

BRIEF DESCRIPTION OF THE DRAWINGS 

20 

A more complete understanding of the present invention 
may be had by reference to the following Detailed Descrip- 
tion when taken in conjunction with the accompanying 
drawings wherein: 

25 FIG. 1 depicts a simplified control message flow pathway 
between a home network and a visited network pursuant to 
registration or a system access by a visiting subscriber; 

FIG. 2 A depicts a control message flow pathway for 
effectuating an aspect of the present invention when the SSD 

30 is not shared and repeated authentication failures are 
encountered upon initial access; 

FIG. 2B depicts a control message flow pathway for 
effectuating another aspect of the present invention when the 
SSD is shared and repeated authentication failures are 

35 encountered thereafter; 

FIGS. 3A and 3B depict a flow diagram of an exemplary 
method of reducing control message signaling load between 
a home network and a visited network in accordance with 
one aspect of the present invention; 

40 

FIG. 4 depicts a flow diagram of an exemplary method of 
reducing control message signaling load between a home 
network and a visited network in accordance with another 
aspect of the present invention; and 
45 FIG. 5 depicts an exemplary embodiment of a radio 
telecommunications network system provided in accordance 
with the teachings of the present invention. 

DETAILED DESCRIPTION OF THE DRAWINGS 

50 In the drawings, like or similar elements are designated 
with identical reference numerals throughout the several 
views, and the various elements depicted are not necessarily 
drawn to scale. Referring now to FIG. 1, depicted therein is 
a simplified flow pathway is shown for control messages that 

55 are transmitted pursuant to registration and/or a system 
access of a mobile station used by a visiting mobile sub- 
scriber who roams into a visited service area (or roaming 
area) 104B from a home service area (or home area) 104A. 
The home service area 104Ais serviced by a Service Control 

60 Point 102 A which includes a Home Location Register (home 
HLR) 236 and Authentication Center (AC) 232, a mobile 
switching center (MSC) 243 and a Visitor Location Register 
(VLR) 242. Similarly, the visited service area 104B is 
serviced by a Service Control Point 102B which includes a 

65 Home Location Register (HLR) 252 and Authentication 
Center (AC) 246, a mobile switching center (MSC) 258 and 
a Visitor Location Register (VLR) 256. The components 
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servicing the home service area 104A may be treated 
together as a home network 212, whereas the components 
servicing the visited service area 104B may likewise be 
treated as a visited network 216. It should be appreciated by 
those skilled in the art that although the components of the 
home and visited networks are shown as separate functional 
blocks, in some embodiments they may be integrated 
together into any combination. For example, as is conven- 
tionally known in the art, the HLR and AC are commonly 
provided as a single node. Also, in some instances, the MSC 
and VLR may be combined as a visited MSC. Furthermore, 
the MSC and VLR of the visited network 216 may collec- 
tively be referred to as a "serving system," wherein the MSC 
is known as the "serving MSC". 

When the MSC 258 detects that a mobile subscriber has 
roamed into the visited service area 104B or when the 
mobile subscriber attempts an access to the network while 
located therein, an Authentication Request (AUTHREQ) 
message is transmitted or propagated in stages from the 
visited network 216 to the home network 212. The Authen- 
tication Center 232 in the home network 212 responds to the 
received AUTHREQ message and sends a return message to 
indicate whether the mobile subscriber is allowed to access 
the network (i.e., authenticated) in the visited service area 
104B. The return message stages or segments are shown 
collectively as authreq message segments transmitted or 
propagated back to the MSC 258. As is common in the art, 
in FIG. 2, invoked Authentication Request messages are 
shown in upper case letters and responses to them are shown 
in lower case letters, all collectively denoted by reference 
numeral 270. These invoked and returned messages are 
common to various types of system accesses. 

Once the mobile station used by the visiting subscriber 
has been authenticated, the subscriber's location can be 
registered with the home HLR 236, as may be indicated by 
a plurality of appropriate messages, for example, by the 
REGNOT and regnot messages 272 shown herein. Also, 
upon successful authentication, the home network 212 trans- 
mits the SSD for the mobile subscriber to the MSC 258 so 
that it can locally authenticate the mobile subscriber for 
subsequent accesses. 

As provided in the Background section of the present 
patent application, even after the visiting subscriber has 
failed authentication, it may typically continue to attempt to 
periodically access the home network 212 in a conventional 
network system. Because of the periodic attempts at regis- 
tration and/or system accesses, control message signaling 
load relating to the Authentication Request messages 270 
continues to escalate within the network system, thereby 
unnecessarily using up at least a portion of the available link 
bandwidth between the home and visited networks. 

FIG. 2 A depicts a control message flow pathway provided 
in accordance with the teachings of the present invention for 
effectuating one aspect thereof, wherein the SSD is not 
initially shared the visited network 216 and repeated authen- 
tication failures are encountered upon initial access. For the 
sake of brevity, only relevant component portions of the 
home and visited networks, 212 and 216, respectively, are 
shown. Pursuant to repeated registration/system accesses, 
one or more AUTHREQ messages with appropriate param- 
eters are transmitted or "hammered" from the serving MSC 
258 to the home network 212, as described hereinabove. 
These AUTHREQ messages are propagated via the VLR 
256 and the home HLR 236 to the AC 232 of the home 
network. This message propagation is shown as three propa- 
gation segments, segment [a] 302, segment [b] 304 and 
segment [c] 306. If the mobile subscriber fails authentication 
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as determined by the AC 232, an authreq return message or 
response is transmitted back therefrom. In accordance with 
the teachings of the present invention, responsive to a 
number of AUTHREQ messages from the visited network, 

5 the home network determines, upon a preselected threshold 
value, that the authreq return message is to be modified to 
include an authentication code portion (such as, for example, 
the SSD or an encrypted A-key) in addition to the Deny 
Access parameter so that local authentication may be effec- 

1Q tuated by the visited network 216. That is, the visited MSC 
is now capable of performing authentication/validation of 
the visiting mobile station and, in accordance herewith, it 
does not report authentication failures, if any, back to the 
HLR. The propagation of the authreq return message is 
5 shown in three segments, segment [d] 308, segment [e] 310 
and segment [f] 312. 

Accordingly, upon receiving the propagated authreq 
return message, the serving MSC 258 marks the failed 
mobile station for local authentication/verification. 

20 Consequently, the serving MSC is instructed to authenticate 
the failed mobile subscriber itself if repeated attempts at 
registration and/or system access are made, by utilizing the 
received authentication code portion from the home network 
212. Further, the MSC 258 (in combination with the VLR 

25 256) is provided with the capability to suppress additional 
Authentication Failure Report (AFREPORT) messages (not 
shown) for the failed mobile subscriber until a positive 
authentication is made by the serving MSC 258. Once a 
positive authentication is made by the MSC 258, it can then 

30 issue a regular AUTHREQ message with appropriate param- 
eters to the home network 212. In response, the HLR/AC 
combination may also proceed with the step of positively 
authenticating the mobile subscriber. It should be readily 
appreciated, consequently, that undesirable control signaling 

35 load attributable to repeat attempts by the failed mobile 
subscriber to access the network in the roaming area is 
substantially reduced. 

It should be further realized that the threshold value in the 
foregoing discussion, which triggers the determination in the 

40 home network to include shared authentication data in the 
return message, may be defined in numerous ways depen- 
dent upon specific implementations. For example, it can 
include any combination of the number and frequency of the 
repeatedly received AUTHREQ messages, system access 

45 type, time delays, et cetera. 

Referring now to FIG. 2B, depicted therein is a control 
message flow pathway provided in accordance with the 
teachings of the present invention for effectuating another 
aspect thereof, wherein the SSD is shared and repeated 

50 authentication failures are encountered after a VLR record 
already exists for a visiting mobile station (MS) 299 (which 
may have been hijacked by a fraudulent user). When the 
SSD is shared with the visited network 216, the serving VLR 
256 assumes the responsibility of issuing an appropriate 

55 authentication/validation local procedure such as, for 
example, a Unique Challenge, for the purpose of authenti- 
cating the visiting MS 299. It should be understood that 
although the Unique Challenge procedure is described here- 
inbelow for the purpose of exemplifying the teachings of the 

60 present invention, any VLR-associated authentication/ 
validation (that is, locally requested procedure) is equally 
applicable within the scope hereof. 

Continuing to refer to FIG. 2B, the serving VLR 256 
chooses a Unique Random Variable (RANDU) and executes 

65 a procedure known as CAVE procedure using the currently 
stored SSD, ESN, MINI and MIN2 associated with the MS 
299 to produce an Authentication Response for Unique 
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Challenge (AUTHU). The VLR 256 sends an Authentication contains a suitable authentication code portion such as, for 

^Directive (AUTHDIR) message 350 to the serving MSC 258 example, the SSD, upon determination in the home network 

using the RANDU and AUTHU as parameters. A response that a preselected threshold value is triggered. If further 

message, authdir 352 is transmitted back from the serving attempts are made by the failed mobile subscriber to register 

MSC 258 to the VLR 256 to inform the VLR that the serving 5 or access the network (as denoted by the decision block 

MSC has accepted the Directive 408 )> Me MSC 258 is instructed to authenticate the visiting 

The serving MSC 258, subsequently, sends a Unique subscriber instep 410). If the authentication step by the 

Challenge order 354 with the RANDU parameter provided servlng MS , C 2 ff^^ M < decls T block 412 >' 11 can 

in the AUTHDIR to the visiting MS 299. In response, the Ksue a ^f^™ 0 meSSag ? ™' h W™pn<f param- 

visiting MS 299 executes the CAVE algorithm using the W e^rs to the AC in the home network 212 (step 414). The AC 

RANDU, the SSD stored therein, ESN, MINI and MIN2 to T y P?"^ au ^ ca ' e ^ mobile subscriber in 

produce its Unique Challenge Response (AUTHU) which is ' h / c ° ormal , f f °>°n (^P 4 16). If the authentication by the 

sent back to the serving MSC 258. Accordingly, this signal MS< ? res , ul,s m * f " ta "' " SC 258 may ^ e instructed < m 

flow segment [d] 356 is shown to include the MS-created combination with the VLR 256, insome implementations) to 

AUTHU value. The serving MSC 258 then compares the 15 ^T^n^ Authentication Failure Report 

value of AUTHU provided in the AUTHDIR message from V™?2 R y messages for . me falled moblle subscriber 

the VLR 256 with the value of AUTHU transmitted back (ste f ? 18 ?' * ?™ e ?t* y ' ""^ a I' osltlve ™ the °tication is 

from the MS 299. After the comparison, the MSC 258 sends made by m ° M r S p 258 ' If no further att « m P ts are , madc > the 

an Authentication Status Report (ASREPORT) message 358 flow control of the P rocess 15 returQed ( stc P 420 > 

to the VLR 256 to indicate that the Unique Challenge 2° Refemn S now to FIG. 4, when repeated failures are 

process has been completed. encountered by the mobile subscriber (step 502) in a visited 

t „„„„,„,!, • jjcninniT network that already has the shared authentication data (i.e., 

In response to the received ASREPORT message 358, the ccr>\ „ _i„,»r... t AimciinnT . \ L 

.. • \n d ->ec ■ . . ten . SSD )> a plurality of AFREPORT messages are sent by the 

£w ^ifs F T^Au u D m6 rH S n aSrCP ° ' u ^& VLR 256 to the HLR/AC of the home network 212 

. ^ 1 , ^ \ •, Tq^oo l ngC pl0CeS ? 7 ^ 25 (step 504) as described hereinabove in relation to FIG. 2B. 

tailed to authenticate the visiting MS 299, the serving VLR ' j 

*ec i ■ AcriTrri/^rrr^ri * u ln accordance with an appropriate threshold value 

256 also issues an AFREPORT 362 message to the home , 1fT + i A . • r ■ j , , . u 

nr tj c *l u * i tl' * algorithm, a determination is made it a suitable threshold 

nrnlid ?„ the AT MJv'Tl! 1 ^ rM ^ is bl ° ck 5 » 6 )' Until the threshold 

propagated to the AC 232 via the s.gnal flow segment [h] yawe ^ (rigg « red> ^ ^ may keep sending 

' . 30 tri e AFREPORT messages to the home network 212, by 

In accordance with the teachings of the present invention, laking thc N0 pat h from the decision block 506. If the 

when repeated AFREPORT messages are sent to the home threshold value is triggered, the AC 232 generates an afre- 

network, the AC 232 of the home network 212 is provided port return message with a suitably expanded Deny Access 

with a threshold value algorithm in a similar manner parameter to instruct the visited MSC 258 to engage in local 

described hereinabove with respect to the situation wherein 35 authentication/vaHdation of the failed mobile subscriber 

the SSD is initially unavailable with the visited network. (step 508 ). Further, pursuant to the local authentication or 

yj! e "V eleCted threshold value 18 reached or tri gS ered > the validation by the visited MSC 258, additional AFREPORT 

AC 232 issues an afreport return message 366 with a messages, if any, are suppressed in the VLR 256 (step 510), 

modified or suitably expanded Deny Access parameter. The ^ local authentication/validation by the MSC 258 prefer- 

afreport message is propagated from the HLR 236 to the ^ ably contmues unti l the mobile subscriber passes the 

serving VLR via the flow segment 0] 368. The expanded requested local authentication/validation procedure (for 

Deny Access parameter of the afreport return message example, the Unique Challenge process) (step 512), where- 

l?J?l}Z 65 an indication that iDStructs the servin S upon regular procedures may be engaged by the serving 

MSC 258 to engage m local authentication or validation of VLR 256 (step 514) 

^p f ppn«T S 2 " 50 ^V 116 V ^, 25 ^ 0e f °°t « FIG ' 5 de P icts a " ««"»P»«y embodiment of a radio 

AFREPOKT messages 362 repeatedly. The local authenti- te ] BCOmmulli ^ lt i OM networ k system 400 provided in accor- 

cauon oi tne lauea Mi, z»» may preterably continue until it dance with (he teachines of the Dresent 

invention is shown 

, 86 ■' WhereU P 0n , the therein. The home network 212 comprises the HLR/AC 

VLR 256 will activate its norma] authentication procedure. node 102A in addition to ^ MSC/VLR 24 3/242 

Once more, it should be realized again that the threshold so associated therewith. The visited network 216 comprises the 

value in the foregoing discussion, which triggers the deter- HLR/AC node 102B in addition to the serving MSC and 

mination in the home network to include a modified Deny VLR complex 258/256. A suitable control signal pathway 

Access parameter in the afreport return message, may be 410, for example, a Signaling System 7 (SS7) pathway, is 

defined in numerous ways dependent upon specific imple- provided between the home and visited network portions, 

mentations. For example, it can include any combination of 55 ^ node 102 A is provided with an authentication/ 

the number and frequency of the repeatedly received AFRE- threshold logic block 402 for effectuating authentication 

PORT messages, time intervals/delays, et cetera. and/or threshold value determination as described herein- 

FIGS. 3A, 3B and 4 depict two flow diagrams which above. Coupled thereto is a sending mechanism 404 for 
illustrate an exemplary embodiment of the processes set transmitting return messages with SSD information and/or 
forth above in relation to the two aspects of the present 60 suitably expanded Deny Access parametric information to 
invention, respectively. Referring to FIGS. 3A and 3B in the visited network 216. The serving MSC and VLR corn- 
particular, upon forwarding one or more AUTHREQ mes- plex 258/256 comprises an authentication logic block 406 
sages with appropriate parameters to the home network 212 for locally authenticating visiting subscribers in accordance 
by the MSC 258 (step 402), an authentication failure is with the teachings of the present invention, based upon the 
determined or detected by the AC 232 (step 404). An authreq 65 instructions and/or SSD information received from the home 
return message is propagated back from the home network network 212. Furthermore, the serving MSC/VLR complex 
212 to the MSC 258 (step 406), which return message 258/256 comprises a suppression block 408 for suppressing 
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the Authentication Request and Authentication Failure 
Report messages as described above in specific reference to 
FIGS. 3A, 3B and 4. 

Based upon the foregoing, it should now be apparent to 
those of ordinary skill in the art that the present invention 
provides a solution which advantageously avoids the build- 
up of unnecessary control signaling load when a failed 
mobile subscriber continues to attempt to access a radio 
telecommunications network, whether initially (before the 
SSD is shared) or after the SSD is sent to the visited 
network. Although the system and method of the present 
invention have been described in particular reference to 
certain radio telecommunications standards (for example , 
t frg ANSI-41 standard), it sho uld be realized upon reference 
hereto that the innovative teachings contained herein are not 
necessarily limited thereto and may be implemented advan- 
tageously with any applicable radio telecommunications 
standard. 

Further, it is believed that the operation and construction 
of the present invention will be apparent from the foregoing 
description. While the method and system shown and 
described have been characterized as being preferred, it will 
be readily apparent that various changes and modifications 
could be made therein without departing from the scope of 
the invention as defined in the following claims. 

What is claimed is: 

1. A radio telecommunications network system compris- 
ing: 

a home network for controlling cellular communication of 
a subscriber over a home service area 7 the home net- 
work including a Home Location Register (HLR) and 
an authentication center (AC); 

a visited network for controlling cellular transmission 
over a visited service area, the visited network includ- 
ing a serving mobile switching center (MSC) and a 
Visitor Location Register (VLR) associated therewith; 

means for forwarding one or more authentication requests 
from the visited network to the home network; 

means for determining, in the home network upon detect- 
ing an authentication failure, that a threshold value 
associated with the network access attempts is trig- 
gered; 

means for sending a return message from the home 
network to the serving MSC, wherein the return mes- 
sage includes an authentication code portion; and 

means in the visited network, responsive to the return 
message from the home network, for locally authenti- 
cating the roaming subscriber based upon the authen- 
tication code portion received, when the roaming sub- 
scriber attempts to re-access the radio 
telecommunications network system. 

2. The radio telecommunications network system as set 
forth in claim 1, wherein the HLR and the AC are function- 
ally integrated into a single node and the authentication code 
portion comprises Shared Secret Data. 55 

3. The radio telecommunications network system as set 
forth in claim 1, wherein the HLR and the AC are function- 
ally integrated into a single node and the authentication code 
portion comprises an encrypted A-key value. 

4. The radio telecommunications network system as set 60 
forth in claim 1 7 wherein the MSC and the VLR are 
functionally integrated into a single node and the authenti- 
cation code portion comprises Shared Secret Data. 

5. The radio telecommunications network system as set 
forth in claim 1, wherein the MSC and the VLR are 
functionally integrated into a single node and the authenti- 
cation code portion comprises an encrypted A-key value. 
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6. A method of reducing control message traffic in a radio 
telecommunications network of the type which includes a 
home network, comprising a Home Location Register 
(HLR) and an associated Authentication Center (AC), and a 
visited network comprising a serving mobile switching 
center (MSC) and an associated Visitor Location Register 
(VLR), the method comprising the steps of: 

forwarding one or more authentication requests from the 
visited network to the home network, when a visiting 
subscriber roams into a visited service area serviced by 
the visited network and periodically attempts to access 
the radio telecommunications network; 

upon detecting an authentication failure, determining, in 
the home network, that a threshold value associated 
with the periodic attempts to access the network is 
triggered; 

responsive to the determination in the home network, 
sending a return message from the home network to the 
serving MSC, the return message including an authen- 
tication code portion required for authenticating the 
visiting subscriber; and 

upon receiving the return message, performing a local 
authentication step by the serving MSC if the visiting 
subscriber attempts to rc-access the radio telecommu- 
nications network and thereby suppressing the forward- 
ing of additional authentication requests to the home 
network. 

7. The method as set forth in claim 6, further comprising 
the steps of: 

transmitting a subsequent authorization request from the 
visited network to the home network, provided the 
visiting subscriber has been successfully locally 
authenticated by the visited network; and 

responsive to the subsequent authorization request, 
authenticating the visiting subscriber by the home 
network. 

8. The method as set forth in claim 6, wherein the 
authentication code portion comprises Shared Secret Data. 

9. The method as set forth in claim 6, wherein the 
authentication code portion comprises an encrypted A-key. 

10. The method as set forth in claim 6, further including 
the step of suppressing one or more authentication failure 
reports by the visited network, the reports being provided 
when the visiting subscriber continues to fail the local 
authentication step by the serving MSC. 

11. A method of authenticating a mobile station requesting 
access to a radio telecommunications network having a 
serving mobile switching center (MSC) serving the mobile 
station, a visitor location register (VLR) associated with the 
serving MSC, a home location register (HLR) which stores 
subscriber information and location information relating to 
the mobile station, and an authentication center (AC) asso- 
ciated with the HLR, the AC and HLR forming a home 
network, said method comprising the steps of: 

receiving in the serving MSC one or more attempts to 

access the radio telecommunications network by the 

mobile station; 
sending one or more corresponding authentication 

requests from the serving MSC to the AC via the VLR 

and the HLR; 

determining in the AC that the mobile station failed 

authentication; 
determining in the home network that a threshold value 

associated with the one or more attempts to access the 

radio telecommunications network is triggered by the 

mobile station; 
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sending a return message from the home network to the 
serving MSC with an instruction to deny the mobile 
station access to the network, said return message 
including shared data for authenticating the mobile 
station; 5 

determining in the serving MSC whether the mobile 
station passes local authentication whenever subse- 
quent network access attempts are received from the 
mobile station; 

suppressing instructions in the serving MSC to send 10 
authentication failure reports to the AC if the mobile 
station fails subsequent local authentication; 
sending a subsequent authentication request from the 
serving MSC to the AC if the mobile station passes a 15 
subsequent local authentication; and 
authenticating the mobile station in the AC. 
12. A method of authenticating a mobile station request- 
ing access to a radio telecommunications network having a 
serving mobile switching center (MSC) serving the mobile 2 o 
station, a visitor location register (VLR) associated with the 
serving MSC, a home location register (HLR) which stores 
subscriber information and location information relating to 
the mobile station, and an authentication center (AC) asso- 
ciated with the HLR, the AC and HLR forming a home 25 
network, said method comprising the steps of: 

receiving in the serving MSC one or more attempts to 
access the radio telecommunications network by the 
mobile station; 
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verifying, by the serving MSC, the mobile station's 
attempts by issuing one or more locally requested 
validation procedures, corresponding to the attempts by 
the mobile station; 

determining in the VLR that the mobile station failed 
authentication; 

sending, by the VLR, one or more authentication failure 
reports to the AC, each corresponding to an authenti- 
cation failure by the mobile station; 

determining, in the home network, that the authentication 
failure reports have exceeded a threshold value asso- 
ciated therewith; 

sending a return message from the home network to the 
serving MSC with an instruction to locally authenticate 
the mobile station for subsequent accesses to the net- 
work; and 

instructing the VLR to stop sending authentication failure 
reports to the AC if the mobile station fails local 
authentication for its subsequent accesses to the net- 
work. 

13. The method as set forth in claim 12, wherein the 
requested local validation procedure comprises a unique 
challenge order. 

14. The method as set forth in claim 12, further compris- 
ing the step of instructing the serving MSC to locally 
authenticate the mobile station until the mobile station 
passes the requested local validation procedure. 

* * * * * 



* 
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